Catálogo de publicaciones - libros

Recently, Canetti et al [11] gave a generic construction (called CHK construction) of public key encryption (PKE) from a selective identity-based encryption scheme combined with a strong one-time signature scheme. Later, few schemes were proposed to improve the efficiency of CHK construction [11], for example, Boneh-Katz scheme [8] replaced a strong one-time signature with a message authentication code and Boyen-Mei-Waters scheme [9] was constructed directly from Waters’ IBE scheme. But, both constructions have either trade-off the publicly verifiable property or security against adaptive chosen-ciphertext attack. We ask a question whether it is possible to construct an efficient and publicly verifiable PKE scheme from a selective IBE scheme with a weak one-time signature scheme. In this paper, we provide an affirmative answer and construct a public key encryption scheme which preserves the publicly verifiable property and is secure against adaptive chosen-ciphertext attack. The construction of the proposed scheme is based on Boneh-Boyen identity-based encryption (IBE) scheme [5] and a weak one-time signature scheme (using Waters’ signature scheme [24]) built within Boneh-Boyen IBE scheme. In this construction, one-time signature scheme is not required to be strongly existential unforgeable as Waters’ signature scheme is not a strongly existential unforgeability. We also show that the proposed scheme is ”almost” as efficient as the original Boneh-Boyen IBE scheme.

Loss of backup tapes containing personal information (PI) is a potential breach of privacy and encryption is the typical way to prevent the breach. This paper considers an attack scenario where an adversary who encrypts the PI for backup purpose tries to hide the plain PI in a valid-looking ciphertext without being detected. We show that the standard security notion IND-CCA2 does not capture such a scenario. For example, the Cramer-Shoup scheme is vulnerable to such an attack. To capture such a scenario, we define a new notion of “ciphertext-auditability” as a new property of public key encryption schemes (PKESs). It requires that, given a public key and a ciphertext, anyone should be able to verify whether the ciphertext was actually generated using the public key. Also, it requires that, given a public key and a plaintext, no adversary should be able to generate a valid-looking ciphertext so that the verification passes, but nevertheless the plaintext can be recovered from the ciphertext without the corresponding secret key. We propose a general construction of such PKESs based on standard cryptographic primitives in the random oracle model.

Password-authenticated group key exchange (PAGKE) allows group users to share a session key using a human-memorable password . The fundamental security goal of PAGKE is security against dictionary attacks. Several solutions have been proposed to solve this problem while most ones require rounds linearly increasing in the number of group users, so they are neither scalable nor practical. Recently a provably-secure constant-round PAGKE protocol overcoming this shortcoming is proposed at PKC ’06. However current PAGKE protocols have been proven secure in the model. The ideal model assumes that some functions are “ideal” functions (or random functions). In the ideal cipher model, we assume a block cipher is an ideal cipher and in the ideal hash model (also the so-called the random oracle model), we assume a hash function is an ideal hash function. However it is well-known that a provably-secure scheme in the ideal model may be insecure if the ideal functions are implemented by the real functions. In this paper we propose the first provably-secure PAGKE protocol in the model. Our protocol is a two-round protocol and the security of the protocol is reduced to the Decisional Diffie-Hellman (DDH) problem.

In this paper, we consider time/memory trade-off (TMTO) and exhaustive search attacks and analyze their effectiveness on various key sizes. The first part of the paper is an overview of TMTO methodology and summarizes earlier work on hardware implementation of TMTO and exhaustive search attacks. The second part of the paper develops a cost model for analysing the effectiveness of generic attacks. Analysis of the cost model shows that 128-bit keys seem safe for the present. However, key sizes less than 96 bits do not provide comfortable security assurances. This is particularly relevant for the 80-bit stream ciphers in the Ecrypt call for stream ciphers as well as for the A5/3 encryption algorithm used in GSM mobile phones.

We present a new architecture of Advanced Encryption Standard (AES) cryptographic hardware which can be used as cryptographic primitives supporting privacy and authentication for Radio Frequency Identification (RFID). RFID is a technology to identify goods or person containing the tags. While it is a convenient way to track items, it also provides chances to track people and their activities through their belongings. For these reasons, privacy and authentication are a major concern with RFID system and many solutions have been proposed. M. Feldhofer , S. Dominikus, and J. Wolkerstorfer introduced the Interleaved Protocol which serves as a means of authenticating RFID tag to reader devices in [14]. They designed very small and low power AES hardware as a cryptographic primitive. In this contribution, we introduce a novel method to increase the operating speed of previous method for low power AES cryptographic circuits. Our low power AES cryptographic hardware can encrypt 128-bit data block within 870 clock cycles using less than 4000 gates and has a power consumption about or less than 20 on a 0.25 CMOS process.

Since all data input and output to a cryptographic module must occur through its interface, performance degradation coming from interface constraints is inevitable for small data packets even the best-performing cipher chip. This paper proposes the High-Speed Packet Cipher System that encrypts even small packet data at high speed by improving the packet data processing method used in existing cryptographic modules. Looking at the test result, we see that speed of 68Mbps better than 0.5Mbps of 4-step Procedure is achieved for 32-byte packets.

Security policies are rules aimed at protecting the resources of an organisation from the risks associated with computer usage. Designing, implementing and maintaining security policies are all error prone and time consuming. We report on a tool that helps managing the security policies of an organisation. Security policies are formalised using first-order logic with equality and the unique names assumption, closely following the security policy language suggested in [1]. The tool includes a link to an automated theorem prover, Otter [2], and to a model finder, Mace [2], used to formally verify a set of formal security policies. It also includes a GUI and a number of links to read information and security policies from organisation databases and access control lists.

This paper presents a Colored Petri Nets (CPN) approach to analyze the information flow in the policy file of Security-Enhanced Linux (SELinux). The SELinux access control decisions are based on a security policy file that contains several thousands of security rules. It becomes a challenge for policy administrator to determine whether the modification of the security policy file conforms to the pre-specified security goals. To address this issue, this paper proposes a formal information flow model for SELinux security policy file, and presents a simple query language to help administrators to express the expected/unexpected information flow. We developed a method to transform the SELinux policy and security goal into Policy CPN Diagram and Query CPN Diagram. A tool named SEAnalyzer that can automatically verify the SELinux policy has been developed and two application examples of this tool will be presented in the context.

A recent paper presented an access control scheme for discretionary access controls with a decidable safety problem. This paper deals with the complexity analysis of that access control, and finds it to be, in its worst cases, PSPACE-complete, but polynomial time for practical cases. The PSPACE-hardness reduction uses the theory of succinct problems in a more general manner than circuit representation.

The paper proposes a novel IP channel for sending hidden short messages, based mainly on the use of the “traceroute” command and the IP header Record route options. Instead of encrypting a hidden message or embedding it into a multimedia object, as in traditional multimedia steganography, we process the entire message and generate several IP packets with different types to carry the secret message. Thereby we foil an eavesdropper who is primarily applying statistical tests to detect encrypted communication channels. We show that our approach provides more protection against Steganalysis and sniffing attacks. A friendly graphical tool has been implemented to demonstrate the proposed secret IP channel.